Overview
Privacy isn't a checkbox. It's a commitment. Sally AI is built on the principle that your data belongs to you: it stays within the EU, primarily in Germany at Hetzner, is masked before any AI model ever touches it, and is never used to train or improve language models. We hold ourselves to the highest European data protection standards so you can focus on getting value from AI, without compromise.
Compliance & Certifications
Fully compliant with the EU General Data Protection Regulation. GDPR-compliant DPA under Art. 28 with every customer.
All data is stored in the EU, primarily in Germany at Hetzner. No third-country transfers, ever. From end of May 2026, exclusively in German data centers at Hetzner.
All personal data is masked before being processed by any language model. Identifiable information never reaches the AI.
Hosted in ISO 27001-certified EU data centers. Security management aligned with ISO 27001 principles.
Environmental management system per ISO 14001. We are committed to sustainable operations and continuous improvement of our environmental performance.
Quality management system per ISO 9001. Our processes are systematically monitored and continuously improved.
Service organization controls aligned with SOC 2 principles for security, availability, and confidentiality.
Your data is never used to train or improve language models, guaranteed contractually and technically.
All data exclusively in German data centers, with zero dependency on non-German EU regions.
We are actively working toward ISO 27001 certification (currently: certified infrastructure).
We are actively working toward ISO 14001 certification for sustainable environmental management.
We are actively working toward ISO 9001 certification for systematic quality management.
Network-level separation of administration traffic and compute workload networks, including a dedicated jump/bastion host (per BSI C5:2026, controls COS-02.01B, COS-05.01B, COS-05.02B).
Security Controls
- ✓AES-256 encryption at rest
- ✓TLS/SSL encryption in transit
- ✓ISO 27001-certified EU data centers
- ✓DDoS protection & rate limiting
- ✓Geo-redundant backups
- ✓Multi-factor authentication (MFA) on all systems
- ✓Role-based access control (RBAC)
- ✓Principle of least privilege
- ✓Full audit logging of all access
- ✓Tenant-level data separation
- ✓Personal data masked before any LLM processing
- ✓No AI training on customer data, ever
- ✓EU-region Azure OpenAI deployment
- ✓Bring Your Own LLM option available
- ✓On-premises storage option available
- ✓DPA with every customer & all subprocessors
- ✓Regular employee security training
- ✓Incident notification to customer < 24 hours
- ✓Annual penetration tests by external security firms
- ✓DPIA per Article 35 GDPR
- ✓Regular internal security reviews
Completing the DPA: Two Options
Documents & Resources
GDPR-compliant DPA under Art. 28, signed with every customer. Available in English and German.
Download DPA →Our full technical and organizational security measures. Annex 1 of the DPA.
Download TOMs →All subprocessors with processing purpose and EU hosting location. Annex 3 of the DPA.
Download List →